how to calculate difference between result of multi aggregation on ELK?
I have an Index that docs is:
id:1
type: Deposit
value:12
timestamp:2022.10.09T00.00.00
####
id:2
type: withdraw
value:15
timestamp:2022.10.9T00.00.00
####
id:3
type: Deposit
value:17
timestamp:2022.10.09T11.00.00
....
So I run multi aggregation such:
"aggs": {
"s1": {
"terms": {
"field": "type",
"size": 10
},
"aggs": {
"SUM": {
"sum": {
"field": "value"
}
}
}
}
My result is:
"buckets" : [ { "key" : "DEPOSIT", "doc_count" : 9, "SO" : { "value" : 78983 } }, { "key" : "WITHDRAW", "doc_count" : 9, "SO" : { "value" : 777445 } }
But I want to calculate "value of DEPOSIT - value of WITHDRAW". what is this query???
You can use bucket_script aggregation for this. The bucket script aggs will look as follows.
"diff": {
"bucket_script": {
"buckets_path": {
"my_var1": "s1['field_value']>s2",
"my_var2": "s1['field_value']>s2"
},
"script": "params.my_var1 - params.my_var2"
}
}
I'm sharing the details and solution below.
POST test_stackoverflow_question/_bulk
{"index":{}}
{"id":"1", "type": "Deposit", "value":12, "timestamp":"2022.10.09T00.00.00"}
{"index":{}}
{"id":"2", "type": "withdraw", "value":15, "timestamp":"2022.10.9T00.00.00"}
{"index":{}}
{"id":"3", "type": "Deposit", "value":17, "timestamp":"2022.10.09T11.00.00"}
A Sibling pipeline ag has the option to select specific keys from multi-bucket if the terms refer to a multipart aggregation such as agg. For example, a bucket_script can select (via package keys) two custom buckets to perform the calculation:
GET test_stackoverflow_question/_search
{
"size": 0,
"aggs": {
"calculate_diff": {
"filters": {
"filters": {
"all": {
"match_all": {}
}
}
},
"aggs": {
"s1": {
"terms": {
"field": "type.keyword",
"size": 10
},
"aggs": {
"s2": {
"sum": {
"field": "value"
}
}
}
},
"diff": {
"bucket_script": {
"buckets_path": {
"my_var1": "s1['Deposit']>s2",
"my_var2": "s1['withdraw']>s2"
},
"script": "params.my_var1 - params.my_var2"
}
}
}
}
}
}
Ref: https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-pipeline-bucket-script-aggregation.html https://www.elastic.co/guide/en/elasticsearch/reference/7.17/search-aggregations-pipeline.html
- Constrain a Specman list so it doesn't have identical values in consecutive elements
- How to type cast a list of uint to a list of vr_ahb_data in Specman?
- Static fields/methods in e
- What is the difference between deep_copy and gen keeping in Specman?
- Specman UVM: What is the difference between write_reg { .field == 2;}; and write_reg_fields?
- Does Specman support optional parameters to a method?
- Specman e: When colon equal sign ":=" should be used?
- Specman e: Is there a way to know how many values there is in an enumerated type?
- Specman e error: No match for file when using "for each line in file"
- How to run e file one by one? Not in parallel test
- Specman/e constraint (for each in) iteration
- Specman e: How driver's items queue can be locked from a sequence?
- Specman e: How to print variable's address?
- Specman e: "keep type .. is a" fails to refine the type of a field
- Specman soft select on variable, decimal vs. hexadecimal values
- Specman e: How to print a pointer to a struct?
- Specman e: Is there a way to print unit instance name?
- Specman e: simultaneous events error
- Specman e coverage: ignored values appear in the coverage statistics
- Specman e: How a sequence should be started when gen_and_start_main constrained to FALSE?
- Specman/e list of lists (multidimensional array)
- Does Specman e have struct constructor?
- Specman e: How the predefined sequence.item should be used?
- Specman e: define-as-computed macro error
- Specman e UVM: Why to inherit from uvm_* units?
- Specman e: A sequence drives its BFM also its MAIN was not defined in a test
- e HVL (IEEE 1647): expect expression fails unexpectedly
- Specman e subtyping: How to refer to FALSE value of conditional field in when/extend subtyping?
- e HVL (IEEE 1647): How to set 'X' value?
- Difference between declaring an event that is sensitive to a simple_port value and event_port